The federal privacy commissioner will look into the reported data breach that enabled an Ontario resident to access the personal information of other passport applicants using Passport Canada’s online application system.
The Office of the Privacy Commissioner of Canada was in the process of conducting an audit of Passport Canada when the news broke out this week about the security breach, said Colin McKay, spokesperson for the privacy commissioner.
“One of our auditors and technical specialists has called (Passport Canada) for an explanation as to what happened, and we’re going to add it to our audit,” said McKay.
McKay stressed, however, that the current audit of Passport Canada did not result from this recent breach, but rather part of a general audit being done on the agency. The Privacy Commissioner typically conducts audits on a particular government department or agency at a given time, to examine its information management practices.
“The audit was not prompted by the breach, it was already in place,” he said. “Earlier this month we had our auditors go to their facilities in Canada, as well as some places in Europe and Asia to take a look at how they collect information, store and protect it.”
Findings from the Passport Canada audit are expected to be released next spring, said McKay said.
According to media reports, a security flaw on Passport Canada’s Web site allowed Jamie Laning of Huntsville, Ontario to access the personal information of people applying for new passports, while in the process of completing his own passport application.
By altering one character in the URL he was able to view the passport applications of others, Laning had said in an interview with the Globe and Mail. Information that could be viewed included social insurance numbers, driver’s licence numbers and addresses.
“I don’t know technically what happened, but it seems to have been a question of not putting the right security controls in the backend of their online setup,” said McKay.
Upon learning of the security flaw, Laning called Passport Canada to inform the agency of his discovery, Fabien Lengelle, spokesperson for Passport Canada told Intergovworld.com.
“(Passport Canada) then shut down its system, investigated the matter and corrected it,” said Lengelle. “The breach has been resolved and it’s no longer possible for an applicant on Passport Online to view other applicant information.”
Lengelle stressed that Passport Online, Passport Canada’s online application portal, is not a permanent database and does not maintain records of personal information. “It’s only a gateway to funnel information to Passport Canada, but once a passport has been issued, information on Passport Online is removed.”
“The only information that this person was able to access was the information of one applicant that was applying at the same time, so it’s important to note that Passport Canada’s database was not jeopardized,” said Lengelle.
He added that those who have used Passport Online in the past are not at risk.
McKay said the reported breach is very timely as it allowed the privacy commissioner’s office to add it to its audit list and that Passport Canada has been informed of this addition.
McKay noted that the minister responsible for the Passport Canada office has given assurance that the Web site is secure, and that the Passport office has stated that it has put the necessary steps in place.
“We certainly hold the Passport Office to a high standard and we fully expect them to put it upon themselves to take down the servers like they did if they’re not certain that security isn’t absolutely guaranteed,” said McKay.
Lengelle said Passport Canada has asked “trusted third parties” to examine its system and help identify any other weaknesses.